Secure Network - Security Research Advisory

Vuln name: XSS in Genesys Voice Portal Manager
Systems affected: Voice Portal Manager version 7.2.015.02, possibly others
Systems not affected:
Severity: Low
Local/Remote: Remote
Vendor URL: www.genesyslab.com
Author(s): Claudio Criscione, c.criscione@securenetwork.it
Relates to: 
Vendor disclosure: Vendor was contacted on 28 May 2008 but failed to answer
Vendor acknowledged:
Vendor patch release:
Public disclosure: 1 July 2008
Advisory number: SN-2008-03
Advisory URL: http://www.securenetwork.it/ricerca/advisory/download/SN-2008-03.txt

*** SUMMARY ***

Genesys is a leading company in providing VOIP solutions, and, according to its website, the world’s first contact center software company. 

Voice Portal Manager is part of Genesys Voice Platform, a software, standards-based platform that enables businesses to provide cost-effective customer interactions 24x7. 

Genesys Voice Platform provides touchtone access to applications and incorporates speech recognition technology for conversational exchange to identify and resolve customer requests. 

Secure Network discovered an input validation error which leads to an XSS vulnerability in Voice Portal Manager's web console. The vulnerability was discovered and tested on version 7.2.015.02, but other versions are likely to be vulnerable as well.

*** VULNERABILITY DETAILS ***

The dynamicTreeXSL parameter is not validated before being printed in the content_with_frame.php page. 

*** EXPLOIT ***

A POC is provided:

/content_with_frame.php?service=IPCS&dynamicTreeXSL="></iframe><script>alert('SNXSS')</script>XSS&action=IPCSSummary&title=IPCS%20Call%20Summary&nodePath=

*** FIX INFORMATION ***

No patch is currently available.

*** WORKAROUNDS ***

No workaround is available, but some application firewalls and IPS can be reconfigured to thwart the attack.

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company, 
which provides consulting and training services, and engages in security 
research and development. 

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright  2008 Secure Network S.r.l. Permission is 
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It 
may not be edited in any way without the express consent of Secure Network 
S.r.l. Permission is explicitly given for insertion in vulnerability 
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network 
research staff. There are no warranties with regard to this information. 
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported 
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 402